Posting in Design
Microsoft researcher says the amount of time users are tied up with security protocols may outweigh any time saved by stopping malicious hacks and code.
It's common sense that strong passwords and awareness of malicious URLs are the best line of defense for applications and data. However, one IT researcher has done a cost/benefit analysis of such efforts, and questions whether the costs of strong password management outweighs the benefits.
That's the gist of a recent study by Microsoft researcher Cormac Herley, who questions the advantages of strong password rules, which "shields [users] from the direct costs of attacks, but burdens them with far greater indirect costs in the form of effort."
Niel Rubenking, who surfaced Herley's paper on his blogsite, provides a synopsis of Herley's logic: that "users who ignore security advice aren't lazy or stupid; rather they're acting rationally. The advice is complex, and the benefits are 'largely speculative or moot.'"
Time is what is at issue with most security incidents, Herley reasons. The bottom line is the amount of time users are tied up with security protocols may outweigh any time saved by stopping malicious hacks and code. As Herley explains:
"We need better understanding of the actual harms endured by users. There has been insuﬃcient attention to the fact that it is mainly time, and not money, that users risk losing when attacked. It is also time that security advice asks of them."
Herley also points out that while "user education is a cost borne by the whole population," the benefits may only be seen by the small percentage of users that fall victim to security attacks. "The cost of any security advice should be in proportion to the victimization rate," he says.
Rubenking also points to another piece of Herley's analysis, which finds that teaching users to recognize phishing URLs is a losing proposition, not worth the time spent. "Herley calculates that a task requiring one minute per day from every working adult in the U.S. costs about $15.9 billion per year. Unnecessary security advice 'treats as free a resource that is actually worth $2.6 billion an hour.'"
Rubenking says, however, that complex, non-guessable passwords are still an important security protocol that needs to be kept in place. He recommends automating the process as much as possible for end users with a password manager that generates strong passwords.
In the words of Herley:
"Security advice is a daily burden, applied to the whole population, while an upper bound on the beneﬁt is the harm suﬀered by the fraction that become victims annually. When that fraction is small, designing security advice that is beneﬁcial is very hard. For example, it makes little sense to burden all users with a daily task to spare 0.01% of them a modest annual pain."
Is the time and cost of requiring everyone to address security protocols worth the potential time and cost saved among users who need to get back to work after an incident?
Apr 15, 2010
People can think up and remember long and obscure passwords, but when made to use a strong password, often have to write it down. I have recently been installing encryption on staff laptops, so that if it is lost, no one can access anything without the login & password - which on several of them were written on the machine. Although what drives people to do this even more than strong passwords, is having to change their password every month. They bravely try to remember Pa55w0rd, Pa55w0rd1, Pa55w0rd2, Pa55w0rd3, etc, but when it gets up into the teens, they waste so much time entering last month's password (or next month's), that they revert to writing it down. Incidentally, the encryption system aggravates this by imposing a time penalty for every mistake. I'm still dubious about what a strong password is. If you are *allowed* to use upper case, digits, symbols and long passwords, how can a hacker know whether you have taken advantage of this or not? Do all hackers start with all LC, then all UC, then all digits before they look at mixed case? If so, how do they proceed after that? Why don't the password experts tell us? If they do UC in position 1 then all LC, then UC in 1 & 2 then all LC, say, it would obviously be 'stronger' to put any UC at the end. Strong passwords can only be defined, IF the order in which combinations are tried is known. If this is known (as it may well be), why not just tell us and allow users to pick one at the end of the list?
Strong passwords aren't that hard... Use a descriptive sentence that means something to you with proper names in it and numbers. Strip out the first letter of each word, the numbers and the punctuation, and Voila' you have a strong password which is easy for *you* to remember and nearly impossible for anybody else to guess.
I am surprised no one has mentioned this yet (although this page has been sitting open in my browser for quite a long time, there may be more replies I have not yet read). I cannot figure out why corporations do not use high security password generation systems and link the passwords to the user's fingerprints. the user never has to know the password, and neither does anyone else. in a windows corp environment the password checking is all done via AD and the fingerprint app can be set to check AD, allowing anyone with security rights to log into any system they "need" to have access to, without having to have or know any passwords. Unless an exception has been found that I do not know of, fingerprints are still unique to each individual human. I worked for a large corp, but in a smaller office (about 120 people) and we were setting this type of system up when I left that company, we setup index fingers (left or right) for everyone (easier to place on the reader) to log into their own machine, then the users that needed multiple machine access we used their middle fingers to give them access to any machine in their "AD computer group". then the IT guys, we all had Admin access if we used our pinkie finger to log in (left or right again, this is in case someone hurts their finger and has a bandaid, or even loses a hand). It is simple and much cheaper than the cost for having someone change a users password everytime they forget it, or when they need a loaner machine. The password generator program we chose (I have forgotten it, as it was 3 years ago) also automatically changes the users password every 28 days, again without any intervention from any users. They just type in their user name and swipe the correct finger.
Hm.. this is nice idea. However, I use Sticky Password manager to keep my passwords safe and well organized. http://www.stickypassword.com
The first thing you achieve with a strong password is overcomplication, and an immediate requirement to write it down. Sraight away you've introduced a major risk, and the more you have, the bigger the problem. Most of us log onto loads of sites, loads of retail outlets etc, and cannot possibly remember different complex passwords. Overly complex adds nothing to security ! A little complexity & 8 digits min, and our own system/format rules should be enough for us all surely????
I guess backups are not worthwhile either since you only need them 0.001% of the time. If my computer were infected, it could take DAYS to get things straight and clear up the mess. The problem is that the author thinks that all minutes of the day are of equal value. WOuld you spare five minutes to help someone with a problem? Did you do a cost-benefit analysis beforehand? I thought not.
Wonder whether people would say strong passwords are worth it after a government employee with access to confidential data uses a weak password and 3 million SSNs are hacked.
What Mr. Herley seems to advocate is taking the brain out of the user and entrusting it to the geeks. What purpose would this service? It would be like giving everyone in the U.S. a chauffeur. After a time, only the chauffeur remembers how to operate and maintain the vehicle. What happens if the chauffeur has a heart attack? Mr. Herley also seems to imply users are not smart enough to ever figure out how to secure a computer. While I do think it is true that cyber-criminals will always be far smarter in their craft than the average user, it is disingenuous to say he is looking out for the best interest of users while at the same time insulting their abilities. Let's go back to the driving analogy. If all cars were driven by chauffeurs they would no doubt have a set checklist of operational dos and don'ts.This would be very efficient and chauffeurs like geeks love efficiency. What if an item made it onto the list that was wrong or became circumvented by traffic regulation changes? Potentially every chauffeur would have an accident causing gridlock on an unprecedented scale. Okay, that analogy is getting a bit thin so here is the rub. If the user is taken out of the equation and all security is concentrated in the hands of a few well meaning but imperfect geeks, what happens to productivity when the very smart hackers figure out how to get around the security? Is that catastrophic? Sometimes risk management dictates you absorb a little risk constantly to stop any form of catastrophic risk from occurring. This is why we endeavor to educate users whether they appreciate it or not. In the long run, and this issue is going away no time soon, it is the least risky course to take. Mr. Herley needs to factor that into his research a bit more IMO. Now, can we stop having every blogger in the sphere blog about this one paper and move on? kthksbye.
While a stolen password tends to be used immediately, I?m really surprised they didn?t acknowledge the fact that the hacker often continues to use the access unbeknownst to the victim ? especially in cases of corporate espionage. A stolen password may provide clandestine access to the thief indefinitely if he?s good at covering his tracks. Changing the password will limit that access, forcing the hacker to retrieve (or guess) the new password. I guess if you want to accumulate over all users the 30 seconds it takes once every x weeks or months to change a password, then yes, it'll add up. But I'd still rather play it safe than find out that I've been hacked -- and abused for a long time -- and could have prevented it by changing the password.